증상

새로운 서버용으로 let's encrypt 에서 SSL/HTTPS 용 인증서를 발급받는 중에 다음과 같은 에러를 만났습니다.

Failed authorization procedure. new.lesstif.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://new.lesstif.com/.well-known/acme-challenge/NXqaYCws-a46TbVqRqOvLUNWz6LJ3AsMVvTo4RG0e3w: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: new.lesstif.com
   Type:   connection
   Detail: Fetching
   http://new.lesstif.com/.well-known/acme-challenge/NXqaYCws-a46TbVqRqOvLUNWz6LJ3AsMVvTo4RG0e3w:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
CODE


에러 메시지

To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
CODE

80 포트에 대해 방화벽도  public 으로 열려 있고 검색해 보았지만 도저히 원인을 찾을 수가 없어서 TXT 레코드를 도메인에 추가해서 소유를 인증받은 후에 SSL 인증서를 발급받기로 정했고 그 방법을 정리해 봅니다.


TXT 레코드로 발급


  1. certbot 을 실행할 때 --manual 옵션과 --preferred-challenges dns 을 주어서 실행합니다.

    certbot certonly -d new.lesstif.com --manual --preferred-challenges dns
    CODE
  2. IP 로깅을 허용하겠냐고 묻는 화면에서 Y 를 입력합니다.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: Y
    CODE
  3. TXT 에 등록할 내용이 출력되면 복사해 둡니다.

    Please deploy a DNS TXT record under the name
    _acme-challenge.new.lesstif.com with the following value:
    
    slqQSBrs4rToROM7LyEeBVvI92YXi3JJ-RK6S5OBKNc
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    CODE
  4.  DNS 서버에 TXT 레코드를 등록합니다. DNS 서비스 제공자에 따라 화면이 다를 수 있습니다.

  5. 새로운 터미널을 열고 정상적으로 등록됐는지 확인합니다.

    $ nslookup -q=TXT _acme-challenge.new.lesstif.com
    
    
    Server:         168.126.63.1
    Address:        168.126.63.1#53
    
    Non-authoritative answer:
    _acme-challenge.new.lesstif.com text = "slqQSBrs4rToROM7LyEeBVvI92YXi3JJ-RK6S5OBKNc"
    
    Authoritative answers can be found from:
    CODE
  6. 기존 let's encrypt 발급 터미널로 간 후에 엔터를 입력합니다.
  7. 정상 발급되었는지 확인하고 웹 서버를 설정합니다.

    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/new.lesstif.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/new.lesstif.com/privkey.pem
    CODE

확인

브라우저로 사이트에 https 로 연결해서 정상적으로 동작하는지 확인합니다.